EVP_MD-SHAKE.7ossl - Man Page

The SHAKE / KECCAK family EVP_MD implementations

Description

Support for computing SHAKE or KECCAK-KMAC digests through the EVP_MD API.

KECCAK-KMAC is an Extendable Output Function (XOF), with a definition similar to SHAKE, used by the KMAC EVP_MAC implementation (see EVP_MAC-KMAC(7)).

Identities

This implementation is available in the FIPS provider as well as the default provider, and includes the following varieties:

KECCAK-KMAC-128

Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128".  This is used by EVP_MAC-KMAC128(7).  Using the notation from NIST FIPS 202 (Section 6.2), we have KECCAK-KMAC-128(M, d) = KECCAK[256](M || 00, d) (see the description of KMAC128 in Appendix A of NIST SP 800-185).

KECCAK-KMAC-256

Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256".  This is used by EVP_MAC-KMAC256(7).  Using the notation from NIST FIPS 202 (Section 6.2), we have KECCAK-KMAC-256(M, d) = KECCAK[512](M || 00, d) (see the description of KMAC256 in Appendix A of NIST SP 800-185).

SHAKE-128

Known names are "SHAKE-128" and "SHAKE128".

SHAKE-256

Known names are "SHAKE-256" and "SHAKE256".

Parameters

This implementation supports the following OSSL_PARAM(3) entries:

"xoflen" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>

Sets or Gets the digest length for extendable output functions. The length of the "xoflen" parameter should not exceed that of a size_t.

The SHAKE-128 and SHAKE-256 implementations do not have any default digest length.

This parameter must be set before calling either EVP_DigestFinal_ex() or EVP_DigestFinal(), since these functions were not designed to handle variable length output. It is recommended to either use EVP_DigestSqueeze() or EVP_DigestFinalXOF() instead.

"size" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>

An alias of "xoflen".

See "PARAMETERS" in EVP_DigestInit(3) for further information related to parameters

Notes

For SHAKE-128, to ensure the maximum security strength of 128 bits, the output length passed to EVP_DigestFinalXOF() should be at least 32.

For SHAKE-256, to ensure the maximum security strength of 256 bits, the output length passed to EVP_DigestFinalXOF() should be at least 64.

See Also

EVP_MD_CTX_set_params(3), provider-digest(7), OSSL_PROVIDER-default(7)

History

Since OpenSSL 3.4 the SHAKE-128 and SHAKE-256 implementations have no default digest length.

Referenced By

EVP_sha3_224.3ossl(3), OSSL_PROVIDER-default.7ossl(7), OSSL_PROVIDER-FIPS.7ossl(7), provider-digest.7ossl(7).

The man page EVP_MD-KECCAK-KMAC.7ossl(7) is an alias of EVP_MD-SHAKE.7ossl(7).

2025-04-15 3.5.0 OpenSSL